Windows 10/11 Home Edition and the OEM Bitlocker pitfall

Windows[German]Today a topic that might have put one or the other user in an unpleasant situation. A machine with Windows 10 Home Edition (or Windows 11 Home) suddenly requests a Bitlocker key after an update or other change. The user stands like a duck in a thunder storm, since he does not have this key and is actually not aware of ever having done anything with Bitlocker. The cause is a stupid chain of inadequacies in the form of Microsoft's implementation and the OEMs' anticipatory obedience.


Advertising

Always trouble with Bitlocker

Actually, the encryption of data media is a good thing, because the data is quite safe from being read by unauthorized persons. If an encrypted data medium gets into the hands of a third party, they can't do anything with it without the recovery key. With Bitlocker, Microsoft has built such an encryption feature into Windows, which can be used in companies to secure data media.

If an administrator approaches this in a planned manner and ensures that the Bitlocker recovery keys are backed up and used for recovery, all is fine. A problem occurs, if an end user has encrypted a device, and don't know, where the Bitlocker key has been stored or lost access on this key.

Changes requires Bitlocker recovery keys

This becomes a problem when a system suddenly requests a Bitlocker recovery key after an update or configuration change (e.g. swapping the motherboard), but the user doesn't have it. I had picked up on such a case in the blog post Windows 10: KB4535680 may trigger a Bitlocker Recovery but it was probably more related to the enterprise environment. If such a Bitlocker recovery problem occurs with thousands of clients, administrators have their work cut out for them.

UAnd there was the case in August 2022 that the update KB5012170 for Secure Boot DBX caused Bitlocker problems. After installing the update, Windows requested the Bitlocker recovery key, but this caused nasty problems on some systems because this key was not present. I had picked up on the whole thing in the blog post Update KB5012170 for Secure Boot DBX causes Bitlocker issues.

Windows 10/11 Home Auto-Encryption

The issue was kind of in the back of my mind that there were repeated reports that even systems with Windows 10 Home (and thus Windows 11) suddenly required a recovery key for consumers because they were encrypted with Bitlocker.


Advertising

Older cases from the past

I had picked this up once in 2017 in the blog post Windows 10: Bitlocker encrypts automatically, where it turned out that Windows 10 Pro automatically encrypts certain partitions on an HP ProBook 430 G5 during a fresh install. During the research, it also came out that Dell does something similar. Dell wrote about this:

BitLocker device encryption is supported on a wide range of devices, including devices that meet modern standby standards and devices running Windows 10 Home Edition or Windows 11.

The prerequisite is a UEFI, a TPM 2.0 module, certain storage media (SSD, hybrid drive, etc.), as Dell states here. In addition, Modern Standby (S0) has to be enabled. Microsoft even goes so far as to encrypt self-encrypting drives with Bitlocker instead of relying on the manufacturer's encryption (see my blog post Microsoft uses Bitlocker self-encrypting drives (SEDs)).

A post in the Microsoft Answers forum

At the end of January 2023, Julia emailed me about a new post in the English-language Microsoft Answers community (thanks for that). The post When a manufacturer adds BitLocker encryption on Home edition sheds some light on why some systems suddenly have disks encrypted with Bitlocker. One user wrote there:

When a manufacturer adds BitLocker encryption on Home edition

This involves Windows 11 Home for me, but I suspect it will apply to Windows 10 Home.

I got a new laptop with Windows 11 Home installed today made by Lenovo. I have been setting it up and happened to check Disk Management and saw BitLocker on the C: drive.

Windows 11 Bitlocker device

I was surprised. I have not enabled it in any way and I well know that BitLocker is not included with Windows Home editions. (but there it is).

So previously seen posts/threads of people finding BitLocker enabled on Home editions when it isn't available on Home are true. I have checked my Microsoft account and it shows a 48 character key for BitLocker recovery registered against this new laptop. I have never used BitLocker in the past and this is a new addition to my account.

If Lenovo do it then it could be the case with any manufacturer.

There it was again, the piece in the puzzle, that even systems with Windows 10 or Windows 11 in the Home editions can have volumes encrypted with Bitlocker – and without the user having this encryption turned on. This coincides with my observations outlined above and causes problems when something changes on the system and a Bitlocker recovery key is suddenly needed.

Microsoft may automatically enable Bitlocker

Another user then posted a link to Microsoft's support post BitLocker Device Encryption, , which matches what I said above about Dell systems. I've pulled out the relevant passages:

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.

So the behavior has been available since Windows 8.1 on devices with Modern Standby, even in Windows 10/11 Home if the hardware requirements are met. Microsoft now assumes that most devices meet the requirements for BitLocker Device Encryption, so that BitLocker Device Encryption is widely available on all modern Windows devices. Thus, systems should be further protected by the transparent implementation of device-wide data encryption using BitLocker Device Encryption.

In addition, Microsoft writes that BitLocker Device Encryption is automatically enabled – in a departure from the default BitLocker implementation – so that the device is always protected. Then Microsoft specifies in which scenarios BitLocker Device Encryption is automatically enabled:

  • When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
  • If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
  • If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS:Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Do not enable BitLocker until recovery information is stored in AD DS for operating system drivesWith this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
  • Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

These are some cases – for Home Edition users, automatic activation is probably relevant when reinstalling Windows 11 or Windows 10.

Block Bitlocker encryption

MMicrosoft recommends automatically enabling BitLocker device encryption on all systems that support it. However, the automatic BitLocker device encryption process can be prevented by changing the following registry setting:

  • Subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
  • Type: REG_DWORD
  • Value: PreventDeviceEncryption equal to 1 (True)

Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically provides additional BitLocker options. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if configuration changes are required.

Disable Bitlocker encryption in Home

The question: is the device encrypted with Bitlocker? can be addressed in two ways in Home editions. First, when you look at the media in the Disk Management, a note about Bitlocker encryption should appear (see the screenshot above). In addition, there is the command line tool manage-bde.exe which can be used in a command prompt invoked with Run as administrator. With the command:

manage-bde -status

the state of the Bitlocker encryption on the system is displayed in the command line. If a none appears there for Bitlocker, the encryption is not active. To switch off the Bitlocker encryption, use the command:

manage-bde -off c:

whereby in the above example the logical drive C: is addressed. Alternatively, you can check whether the item Device encryption exists in the settings page of the home editon under Update & Security (Windows 10) or under Privacy and Security (Windows 11). You should then be able to find the status and, if necessary, an option to disable it there.

Bitlocker key stored within the Microsoft account

Let's now move on to the question of where to find the automatically created Bitlocker recovery key. It already sounded in the MS Answers forum post above: The user had found the recovery key in his Microsoft account created for Windows 11 Home.

At this point, two pieces of the puzzle fell into place for me, because a few days earlier I had found the (German) excerpt on Bitlocker from c't 4/2023 at heise. There I had read that Bitlocker is also activated as device encryption under the Home Editions – and that the Bitlocker recovery key is bound to the Microsoft account. The key can be viewed after logging in at the URL account.microsoft.com/devices/recoverykey.

Thus, anyone who has access to a Microsoft account can get the Bitlocker recovery key for the device. If access to the Microsoft account is lost and the Bitlocker recovery key is suddenly needed, it is all over. At this point, it also becomes clear why Microsoft is pushing online accounts more and more on modern systems.

Final thoughts

The bottom line is that I find this all a rather toxic constellation, because in the hands of private users, disasters are likely to be preprogrammed. In addition to the "toxic" updates mentioned above that lead to the request for a recovery key, changes to the motherboard or even plain BIOS updates are also likely to lead to this scenario. And what if the Microsoft account to which the key is assigned is then locked or deleted and there is no longer any access to the key stored there?

Or how do you see the matter? And were you aware of this connection in this consequence? I confess, the fragments were somewhere in the blog in various posts – but the overall picture was not present to me in the summary presented here in the post.

Similar articles
Windows 10: KB4535680 may trigger a Bitlocker Recovery
Dell: New BIOS is causing Bitlocker issues
Update KB5012170 for Secure Boot DBX causes Bitlocker issues
Windows 10: Be aware of WinRE WinRE patch to fix Bitlocker bypass vulnerability CVE-2022-41099
Windows 10: Update on WinRE patch (fix for Bitlocker bypass vulnerability CVE-2022-41099)
Windows 10 1909: Intune bugfix in BitLocker Key Rotation
Microsoft uses Bitlocker self-encrypting drives (SEDs)
Windows 10 V1903 Bitlocker issue: TPM 2.0 drops error 10
Windows 10: Bitlocker encrypts automatically
Windows 10: Important Secure Boot/Bitlocker Bug-Fix
Bitlocker on SSDs: Microsoft Security Advisory Notification (Nov. 6, 2018)
SSD vulnerability breaks (Bitlocker) encryption
New Surface Book 2 Firmware Update with Bitlocker issue
Windows 10 V1803: No BitLocker recovery backup in AD


Advertising

This entry was posted in issue, Windows and tagged , , , . Bookmark the permalink.

3 Responses to Windows 10/11 Home Edition and the OEM Bitlocker pitfall

  1. michwael says:

    "toxic" is the right word… and i would add sneaky, corporate microsoft blackmailing to olely be bound to a microsoft account.

    i've just discovered that this automatically enforced bitlocker encryption disables me from setting up a linux system aside the existing windows home system that came with my ASUS zenbook. i.e. when you try to install a linux partition aside the encrypted NTFS windows one, this is impossible without prior de-cryption of the windows drive. additionally, a windows bitlocker encrypted device is unable to share files/data with any linux system.

    thanks, microsoft, for yet another sneaky step into windows monopolism.

  2. Kim says:

    Thanx for your brilliant writings.

    Having come to the same results I face one difference.
    My machines are deliberately set up without and never connected to a MS account.

    It seems that in the initial install of (at least) Windows home editions 10 and 11 the C-drive is encrypted and the key actually stored "on the drive" and "in the clear".
    So given that I could find the key I could unlock the drive to for instance partition it and install Ubuntu in parallel with windows.
    But searching intensively for the placement of the key and how to get it has gotten me nowhere.
    Does anyone know where and how to get it in this situation?
    Also does anyone know how to avoid this drive-encryption when doing fresh or first install of Windows?

    Best regards

    Kim

  3. Emily says:

    I cannot thank you enough for this post – I was losing my mind with this. Windows 11 home bought very recently (and indeed, from Lenovo) and it randomly booted up with the Bitlocker screen one day – of course very confusing and I had no idea if/where a key existed.. I assumed it was an error so just did a hard reset and it… came back on, seems this was just luck?

    The info in this post helped me confirm that the same situation applies to my machine…I did not want to link a microsoft account so had used my google account, and had no idea it would save a key to a microsoft account it creates with the google account? Insidious, and an absolute nightmare – as if you try, on the laptop, to check on signing up for bitlocker status /"signing up" for it, you just get told to upgrade to pro!

    Long story short – after hours of digging your post is the only thing that finally brought sanity. For now I have located the key and at another point I will look to disable it altogether. Horrific situation! Thanks again – so grateful!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).